Serendipity – Einträge für Februar 2014

Dear Serendipity users. I'm terribly sorry to inform you that all bad things come in triples and we have to put out yet another release, Serendipity 1.7.8 to fix another regression bug that was caused by the prior 1.7.6/1.7.7 release. By fixing the security issue, I introduced a bug that prevents saving entries, if you preview them before saving.

Thanks to the bug reports on the forum and the quick response of Timbalu, we were able to quickly supply a fix for this, contained in this new 1.7.8 release. At least, upgrading is still easy, right? ;-)

Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:

An XSS by using a specially crafted username can happen when viewing the "Manage users" screen

An XSS when creating an entry with specially crafted id/timestamp values

SQL injection when installing a plugin with a specially crafted name

Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like bit.ly), we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)

This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).

Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.

UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.